Re: [mod-security-users] How to limit access rate by header?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to limit access rate by header?
|
From: Luciano G. F. <luc...@gm...> - 2018-12-05 21:26:54
|
Thank you for your answer, but maybe I'm not asking it the right way or this is not the right place to ask(?). I need a Modsecurity rule (I'm using it through Apache) to be able to control hits from clients with a specific header, like "facebookexternalhit/1.1". Ie. to stop some agressive bots hitting too often my webservers and taking them down eventually. I don't want to block them at all because I need some of them (like Facebook bot to parse shared content), but I need a way to tell them "stop, retry in some seconds". Thanks. El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald ( h.r...@th...) escribió: > > > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi: > > First of all, I'm new here so I'm not sure this is the right place for > > asking for help (free modsec version). If it's not, I'll really > > appreciate it if you can tell me where should I go. > > > > I'm trying to limit hit rate by: > > > > 1. Request's header (like "facebookexternalhit"). > > 2. (All hits to non static resources) > > > > And then return a friendly "429 Too Many Requests" and "Retry-After: 3" > > (seconds). > > I know I can read a file of headers like: > > > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt" > > > > But I'm getting trouble building the entire rule. > > > > Any help would be really appreciated. Thank you! > > this a non-iusse > > normally you have rate-limits per IP in place and they should not be > within the application layer at all and in the best case not even on the > same machine > > that below is from a firewall-vm on a complete /24 network before any > packet reaches a server at all, and for the individual servers are > simimlar rules with lower values per 2 seconds in place > > when the request reachs the webserver damage is long done and if no > damage is done you are wasting expensive ressources with the rules > > Chain INBOUND (2 references) > pkts bytes target prot opt in out source > destination > 1914 183K IPST_ALL all -- * * 0.0.0.0/0 > 0.0.0.0/0 recent: UPDATE seconds: 2 hit_count: 250 TTL-Match > name: limit_all_global side: source mask: 255.255.255.255 > 149K 15M DROP_ALL all -- * * 0.0.0.0/0 > 0.0.0.0/0 recent: UPDATE seconds: 2 reap hit_count: 150 > TTL-Match name: limit_all_global side: source mask: 255.255.255.255 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
